Test<\/title>\r\n <script type=\"text\/javascript\" src=\"http:\/\/192.168.3.2\/assets\/javascript\/app.js\"><\/script>\r\n <script type=\"text\/javascript\" src=\".\/monkeypatch.js\"><\/script>\r\n <\/head>\r\n\r\n <body>\r\n ...\r\n <\/body>\r\n\r\n<\/html>\r\n<\/pre>\n<p>Which security level has been bypassed?<\/p>\n<p>One day I heard that this is an intrinsic <em>feature<\/em> of the web.<\/p>\n<p>If you think a little bit about the impact of that <em>feature<\/em> or you check some of the well known javascript attacks you will realize that you can do things like:<\/p>\n<ul style=\"margin: 0 0 1.5em 1em\">\n<li>Ask for a remote javascript, webservice or json configuration file<\/li>\n<li>DDOS a local network<\/li>\n<li>Map your local network infrastructure<\/li>\n<\/ul>\n<p>And all those attacks could be executed even if you have a DMZ infrastructure.<\/p>\n<h2><a id=\"user-content-similarities\" class=\"anchor\" href=\"#similarities\"><\/a>Similarities<\/h2>\n<p>A number of engineers have been working on a similar issue but from another perspective. The result of all this work has been one of the best lines of investigation in web security in recent years. This work has been called the <a href=\"http:\/\/www.w3.org\/TR\/CSP2\">Content Security Policy<\/a>.<\/p>\n<p>This technology allows websites to protect against non desired content in their own context loaded from other resources. This is very useful to fight against XSS atacks, mixed content, etc.<\/p>\n<p>My question here is, who protects the user from a malicious website that loads content from another non authorized resource? The browser is the best actor to manage this.<\/p>\n<h2><a id=\"user-content-solution\" class=\"anchor\" href=\"#solution\"><\/a>Solution<\/h2>\n<p>My proposal to fight against this issue is quite simple and can reuse a huge number of existing code in the current browsers. The idea is to have a default CSP at browser level refusing to load content from local networks.<\/p>\n<p>This could be set by default in the browser or maybe at domain level if you’re in a corporation.<\/p>\n<p>What are the main steps to have this technology working on your browser?<\/p>\n<ul style=\"margin: 0 0 1.5em 1em\">\n<li><strong>Improve the request flow<\/strong>: set this new default CSP rule in the browser request flow<\/li>\n<li><strong>Intersect CSP’s<\/strong>: we need an algorithm to intersect the website CSP with the default browser CSP giving more priority to the browser settings.<\/li>\n<li><strong>Negative rules<\/strong>: to be able to reject non desired accesses we need to extend CSP especification to allow negative rules. Something like <code>!<domain><\/code>. Example: <code>!192.168.*.*<\/code>\/<\/li>\n<\/ul>\n<h2><a id=\"user-content-hypothetical-case\" class=\"anchor\" href=\"#hypothetical-case\"><\/a>Hypothetical case<\/h2>\n<p>Imagine a website (Ex: <code>example.com<\/code>) responding to a request with this CSP header:<\/p>\n<pre><code>Content-Security-Policy: default-src 'self'; img-src * 127.0.0.1; script-src scripts.example.com<\/code><\/pre>\n<p>and imagine this default browser CSP setting:<\/p>\n<pre><code>Content-Security-Policy: img-src !127.*.*.* !192.168.*.* !10.*.*.*; script-src !127.*.*.* !192.168.*.* !10.*.*.*;<\/code><\/pre>\n<p>The final policy applied for the current website would be:<\/p>\n<pre><code>Content-Security-Policy: default-src 'self'; img-src !127.*.*.* !192.168.*.* !10.*.*.*; script-src scripts.example.com !127.*.*.* !192.168.*.* !10.*.*.*;<\/code><\/pre>\n<p>In this case the browser policy has more priority and overwrites whatever rule set by the current website. This behaviour lets the browser to reject suspicious accesses to local networks and trust other urls. Urls like below:<\/p>\n<ul style=\"margin: 0 0 1.5em 1em\">\n<li>http:\/\/127.0.0.1\/test.png (Rejected)<\/li>\n<li>http:\/\/10.12.3.2\/assets\/javascript\/app.js (Rejected)<\/li>\n<li>http:\/\/192.168.3.23:3306\/test (Rejected)<\/li>\n<li>http:\/\/scripts.example.com\/javascripts\/application.js (Accepted)<\/li>\n<li>http:\/\/i.imgur.com\/aBrAx.jpg (Accepted)<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>Imagine just for one second that you are browsing the web at home through your nice router or at work through a set of firewalls, routers and switches. Imagine just for one second that you have some private service in this network like databases or some web server. Then the amazing remote site adds on <a class=\"read-more\" href=\"https:\/\/redbooth.com\/engineering\/security\/default-content-security-policy\">… <span class=\"meta-nav\">→<\/span><\/a><\/p>\n","protected":false},"author":48,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-123","post","type-post","status-publish","format-standard","hentry","category-security"],"_links":{"self":[{"href":"https:\/\/redbooth.com\/engineering\/wp-json\/wp\/v2\/posts\/123","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/redbooth.com\/engineering\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/redbooth.com\/engineering\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/redbooth.com\/engineering\/wp-json\/wp\/v2\/users\/48"}],"replies":[{"embeddable":true,"href":"https:\/\/redbooth.com\/engineering\/wp-json\/wp\/v2\/comments?post=123"}],"version-history":[{"count":0,"href":"https:\/\/redbooth.com\/engineering\/wp-json\/wp\/v2\/posts\/123\/revisions"}],"wp:attachment":[{"href":"https:\/\/redbooth.com\/engineering\/wp-json\/wp\/v2\/media?parent=123"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/redbooth.com\/engineering\/wp-json\/wp\/v2\/categories?post=123"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/redbooth.com\/engineering\/wp-json\/wp\/v2\/tags?post=123"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

{"id":123,"date":"2014-11-14T16:40:20","date_gmt":"2014-11-14T16:40:20","guid":{"rendered":"https:\/\/redbooth.com\/engineering\/?p=123"},"modified":"2014-11-14T16:50:41","modified_gmt":"2014-11-14T16:50:41","slug":"default-content-security-policy","status":"publish","type":"post","link":"https:\/\/redbooth.com\/engineering\/security\/default-content-security-policy","title":{"rendered":"Default Browser Content Security Policy"},"content":{"rendered":"

Imagine just for one second that you are browsing the web at home through your nice router or at work through a set of firewalls, routers and switches. Imagine just for one second that you have some private service in this network like databases or some web server. Then the amazing remote site adds on their source html code a script tag or an image tag that targets some resources in your local network. What does the browser do? It just loads them.<\/p>\n

Take this html as example:<\/p>\n

\r\n\r\n\r\n  \r\n    \r\n    Test<\/title>\r\n    <script type=\"text\/javascript\" src=\"http:\/\/192.168.3.2\/assets\/javascript\/app.js\"><\/script>\r\n    <script type=\"text\/javascript\" src=\".\/monkeypatch.js\"><\/script>\r\n  <\/head>\r\n\r\n  <body>\r\n    ...\r\n  <\/body>\r\n\r\n<\/html>\r\n<\/pre>\n<p>Which security level has been bypassed?<\/p>\n<p>One day I heard that this is an intrinsic <em>feature<\/em> of the web.<\/p>\n<p>If you think a little bit about the impact of that <em>feature<\/em> or you check some of the well known javascript attacks you will realize that you can do things like:<\/p>\n<ul style=\"margin: 0 0 1.5em 1em\">\n<li>Ask for a remote javascript, webservice or json configuration file<\/li>\n<li>DDOS a local network<\/li>\n<li>Map your local network infrastructure<\/li>\n<\/ul>\n<p>And all those attacks could be executed even if you have a DMZ infrastructure.<\/p>\n<h2><a id=\"user-content-similarities\" class=\"anchor\" href=\"#similarities\"><\/a>Similarities<\/h2>\n<p>A number of engineers have been working on a similar issue but from another perspective. The result of all this work has been one of the best lines of investigation in web security in recent years. This work has been called the <a href=\"http:\/\/www.w3.org\/TR\/CSP2\">Content Security Policy<\/a>.<\/p>\n<p>This technology allows websites to protect against non desired content in their own context loaded from other resources. This is very useful to fight against XSS atacks, mixed content, etc.<\/p>\n<p>My question here is, who protects the user from a malicious website that loads content from another non authorized resource? The browser is the best actor to manage this.<\/p>\n<h2><a id=\"user-content-solution\" class=\"anchor\" href=\"#solution\"><\/a>Solution<\/h2>\n<p>My proposal to fight against this issue is quite simple and can reuse a huge number of existing code in the current browsers. The idea is to have a default CSP at browser level refusing to load content from local networks.<\/p>\n<p>This could be set by default in the browser or maybe at domain level if you’re in a corporation.<\/p>\n<p>What are the main steps to have this technology working on your browser?<\/p>\n<ul style=\"margin: 0 0 1.5em 1em\">\n<li><strong>Improve the request flow<\/strong>: set this new default CSP rule in the browser request flow<\/li>\n<li><strong>Intersect CSP’s<\/strong>: we need an algorithm to intersect the website CSP with the default browser CSP giving more priority to the browser settings.<\/li>\n<li><strong>Negative rules<\/strong>: to be able to reject non desired accesses we need to extend CSP especification to allow negative rules. Something like <code>!<domain><\/code>. Example: <code>!192.168.*.*<\/code>\/<\/li>\n<\/ul>\n<h2><a id=\"user-content-hypothetical-case\" class=\"anchor\" href=\"#hypothetical-case\"><\/a>Hypothetical case<\/h2>\n<p>Imagine a website (Ex: <code>example.com<\/code>) responding to a request with this CSP header:<\/p>\n<pre><code>Content-Security-Policy: default-src 'self'; img-src * 127.0.0.1; script-src scripts.example.com<\/code><\/pre>\n<p>and imagine this default browser CSP setting:<\/p>\n<pre><code>Content-Security-Policy: img-src !127.*.*.* !192.168.*.* !10.*.*.*; script-src !127.*.*.* !192.168.*.* !10.*.*.*;<\/code><\/pre>\n<p>The final policy applied for the current website would be:<\/p>\n<pre><code>Content-Security-Policy: default-src 'self'; img-src !127.*.*.* !192.168.*.* !10.*.*.*; script-src scripts.example.com !127.*.*.* !192.168.*.* !10.*.*.*;<\/code><\/pre>\n<p>In this case the browser policy has more priority and overwrites whatever rule set by the current website. This behaviour lets the browser to reject suspicious accesses to local networks and trust other urls. Urls like below:<\/p>\n<ul style=\"margin: 0 0 1.5em 1em\">\n<li>http:\/\/127.0.0.1\/test.png (Rejected)<\/li>\n<li>http:\/\/10.12.3.2\/assets\/javascript\/app.js (Rejected)<\/li>\n<li>http:\/\/192.168.3.23:3306\/test (Rejected)<\/li>\n<li>http:\/\/scripts.example.com\/javascripts\/application.js (Accepted)<\/li>\n<li>http:\/\/i.imgur.com\/aBrAx.jpg (Accepted)<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>Imagine just for one second that you are browsing the web at home through your nice router or at work through a set of firewalls, routers and switches. Imagine just for one second that you have some private service in this network like databases or some web server. Then the amazing remote site adds on <a class=\"read-more\" href=\"https:\/\/redbooth.com\/engineering\/security\/default-content-security-policy\">… <span class=\"meta-nav\">→<\/span><\/a><\/p>\n","protected":false},"author":48,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-123","post","type-post","status-publish","format-standard","hentry","category-security"],"_links":{"self":[{"href":"https:\/\/redbooth.com\/engineering\/wp-json\/wp\/v2\/posts\/123","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/redbooth.com\/engineering\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/redbooth.com\/engineering\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/redbooth.com\/engineering\/wp-json\/wp\/v2\/users\/48"}],"replies":[{"embeddable":true,"href":"https:\/\/redbooth.com\/engineering\/wp-json\/wp\/v2\/comments?post=123"}],"version-history":[{"count":0,"href":"https:\/\/redbooth.com\/engineering\/wp-json\/wp\/v2\/posts\/123\/revisions"}],"wp:attachment":[{"href":"https:\/\/redbooth.com\/engineering\/wp-json\/wp\/v2\/media?parent=123"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/redbooth.com\/engineering\/wp-json\/wp\/v2\/categories?post=123"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/redbooth.com\/engineering\/wp-json\/wp\/v2\/tags?post=123"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}